chore: address low-priority cleanup items

TablePro/AppDelegate+ConnectionHandler.swift

@@ -23,7 +23,7 @@ extension AppDelegate {
     // MARK: - Database URL Handler
 
     func handleDatabaseURL(_ url: URL) {
-        guard WindowOpener.shared.openWindow != nil else {
+        guard WindowOpener.shared.isReady else {
             queuedURLEntries.append(.databaseURL(url))
             scheduleQueuedURLProcessing()
             return
@@ -51,7 +51,11 @@ extension AppDelegate {
             connection = buildTransientConnection(from: parsed)
         }
 
+        let isTransient = matchedConnection == nil
+
         if !parsed.password.isEmpty {
+            // Save password to Keychain so the driver can resolve it at connect time.
+            // For transient connections, this is cleaned up after connect completes or fails.
             ConnectionStorage.shared.savePassword(parsed.password, for: connection.id)
         }
 
@@ -70,6 +74,14 @@ extension AppDelegate {
         openNewConnectionWindow(for: connection)
 
         Task { @MainActor in
+            defer {
+                // Clean up Keychain entry for transient connections after connect.
+                // The driver already holds the password in memory once connected,
+                // so the Keychain entry is no longer needed.
+                if isTransient {
+                    ConnectionStorage.shared.deletePassword(for: connection.id)
+                }
+            }
             do {
                 try await DatabaseManager.shared.connectToSession(connection)
                 for window in NSApp.windows where self.isWelcomeWindow(window) {
@@ -86,7 +98,7 @@ extension AppDelegate {
     // MARK: - SQLite File Handler
 
     func handleSQLiteFile(_ url: URL) {
-        guard WindowOpener.shared.openWindow != nil else {
+        guard WindowOpener.shared.isReady else {
             queuedURLEntries.append(.sqliteFile(url))
             scheduleQueuedURLProcessing()
             return
@@ -131,7 +143,7 @@ extension AppDelegate {
     // MARK: - DuckDB File Handler
 
     func handleDuckDBFile(_ url: URL) {
-        guard WindowOpener.shared.openWindow != nil else {
+        guard WindowOpener.shared.isReady else {
             queuedURLEntries.append(.duckdbFile(url))
             scheduleQueuedURLProcessing()
             return
@@ -176,7 +188,7 @@ extension AppDelegate {
     // MARK: - Generic Database File Handler
 
     func handleGenericDatabaseFile(_ url: URL, type dbType: DatabaseType) {
-        guard WindowOpener.shared.openWindow != nil else {
+        guard WindowOpener.shared.isReady else {
             queuedURLEntries.append(.genericDatabaseFile(url, dbType))
             scheduleQueuedURLProcessing()
             return
@@ -229,7 +241,7 @@ extension AppDelegate {
 
             var ready = false
             for _ in 0..<25 {
-                if WindowOpener.shared.openWindow != nil { ready = true; break }
+                if WindowOpener.shared.isReady { ready = true; break }
                 try? await Task.sleep(for: .milliseconds(200))
             }
             guard let self else { return }
@@ -258,7 +270,7 @@ extension AppDelegate {
 
     // MARK: - SQL File Queue (drained by .databaseDidConnect)
 
-    @objc func handleDatabaseDidConnect() {
+    @MainActor @objc func handleDatabaseDidConnect() {
         guard !queuedFileURLs.isEmpty else { return }
         let urls = queuedFileURLs
         queuedFileURLs.removeAll()

TablePro/AppDelegate+FileOpen.swift

@@ -193,9 +193,7 @@ extension AppDelegate {
         ConnectionStorage.shared.addConnection(connection)
         NotificationCenter.default.post(name: .connectionUpdated, object: nil)
 
-        if let openWindow = WindowOpener.shared.openWindow {
-            openWindow(id: "connection-form", value: connection.id)
-        }
+        NotificationCenter.default.post(name: .openConnectionFormWindow, object: connection.id)
     }
 
     // MARK: - Plugin Install

TablePro/AppDelegate+WindowConfig.swift

@@ -58,11 +58,11 @@ extension AppDelegate {
         return menu
     }
 
-    @objc func showWelcomeFromDock() {
+    @MainActor @objc func showWelcomeFromDock() {
         openWelcomeWindow()
     }
 
-    @objc func connectFromDock(_ sender: NSMenuItem) {
+    @MainActor @objc func connectFromDock(_ sender: NSMenuItem) {
         guard let connectionId = sender.representedObject as? UUID else { return }
         let connections = ConnectionStorage.shared.loadConnections()
         guard let connection = connections.first(where: { $0.id == connectionId }) else { return }
@@ -201,7 +201,7 @@ extension AppDelegate {
 
     // MARK: - Window Notifications
 
-    @objc func windowDidBecomeKey(_ notification: Notification) {
+    @MainActor @objc func windowDidBecomeKey(_ notification: Notification) {
         guard let window = notification.object as? NSWindow else { return }
         let windowId = ObjectIdentifier(window)
 
@@ -241,7 +241,7 @@ extension AppDelegate {
         }
     }
 
-    @objc func windowWillClose(_ notification: Notification) {
+    @MainActor @objc func windowWillClose(_ notification: Notification) {
         guard let window = notification.object as? NSWindow else { return }
 
         configuredWindows.remove(ObjectIdentifier(window))
@@ -261,7 +261,7 @@ extension AppDelegate {
         }
     }
 
-    @objc func windowDidChangeOcclusionState(_ notification: Notification) {
+    @MainActor @objc func windowDidChangeOcclusionState(_ notification: Notification) {
         guard let window = notification.object as? NSWindow,
               isHandlingFileOpen else { return }
 

TablePro/AppDelegate.swift

@@ -118,8 +118,4 @@ class AppDelegate: NSObject, NSApplicationDelegate {
     func applicationWillTerminate(_ notification: Notification) {
         SSHTunnelManager.shared.terminateAllProcessesSync()
     }
-
-    nonisolated deinit {
-        NotificationCenter.default.removeObserver(self)
-    }
 }

TablePro/ContentView.swift

@@ -31,8 +31,6 @@ struct ContentView: View {
     @State private var windowTitle: String
     @Environment(\.openWindow)
     private var openWindow
-    @Environment(AppState.self) private var appState
-
     private let storage = ConnectionStorage.shared
 
     init(payload: EditorTabPayload?) {

TablePro/Core/Database/DatabaseManager.swift

@@ -139,17 +139,11 @@ final class DatabaseManager {
         }
 
         do {
-            try await driver.connect()
-
-            // Apply query timeout from settings
-            let timeoutSeconds = AppSettingsManager.shared.general.queryTimeoutSeconds
-            if timeoutSeconds > 0 {
-                try await driver.applyQueryTimeout(timeoutSeconds)
-            }
-
-            // Run startup commands before schema init
-            await executeStartupCommands(
-                connection.startupCommands, on: driver, connectionName: connection.name
+            // Perform heavy driver setup off the main actor
+            try await performDriverSetup(
+                driver: driver,
+                startupCommands: connection.startupCommands,
+                connectionName: connection.name
             )
 
             // Initialize schema for drivers that support schema switching
@@ -330,6 +324,7 @@ final class DatabaseManager {
 
     /// Test-only: remove an injected session
     internal func removeSession(for connectionId: UUID) {
+        SharedSidebarState.removeConnection(connectionId)
         removeSessionEntry(for: connectionId)
     }
     #endif
@@ -605,16 +600,12 @@ final class DatabaseManager {
         // Use effective connection (tunneled) if available, otherwise original
         let connectionForDriver = session.effectiveConnection ?? session.connection
         let driver = try DatabaseDriverFactory.createDriver(for: connectionForDriver)
-        try await driver.connect()
-
-        // Apply timeout
-        let timeoutSeconds = AppSettingsManager.shared.general.queryTimeoutSeconds
-        if timeoutSeconds > 0 {
-            try await driver.applyQueryTimeout(timeoutSeconds)
-        }
 
-        await executeStartupCommands(
-            session.connection.startupCommands, on: driver, connectionName: session.connection.name
+        // Perform heavy driver setup off the main actor
+        try await performDriverSetup(
+            driver: driver,
+            startupCommands: session.connection.startupCommands,
+            connectionName: session.connection.name
         )
 
         if let savedSchema = session.currentSchema,
@@ -667,16 +658,12 @@ final class DatabaseManager {
 
             // Create new driver and connect
             let driver = try DatabaseDriverFactory.createDriver(for: effectiveConnection)
-            try await driver.connect()
-
-            // Apply timeout
-            let timeoutSeconds = AppSettingsManager.shared.general.queryTimeoutSeconds
-            if timeoutSeconds > 0 {
-                try await driver.applyQueryTimeout(timeoutSeconds)
-            }
 
-            await executeStartupCommands(
-                session.connection.startupCommands, on: driver, connectionName: session.connection.name
+            // Perform heavy driver setup off the main actor
+            try await performDriverSetup(
+                driver: driver,
+                startupCommands: session.connection.startupCommands,
+                connectionName: session.connection.name
             )
 
             if let savedSchema = activeSessions[sessionId]?.currentSchema,
@@ -768,6 +755,22 @@ final class DatabaseManager {
 
     nonisolated private static let startupLogger = Logger(subsystem: "com.TablePro", category: "DatabaseManager")
 
+    /// Connects the driver, applies query timeout, and runs startup commands off the main actor.
+    nonisolated private func performDriverSetup(
+        driver: DatabaseDriver,
+        startupCommands: String?,
+        connectionName: String
+    ) async throws {
+        try await driver.connect()
+
+        let timeoutSeconds = await AppSettingsManager.shared.general.queryTimeoutSeconds
+        if timeoutSeconds > 0 {
+            try await driver.applyQueryTimeout(timeoutSeconds)
+        }
+
+        await executeStartupCommands(startupCommands, on: driver, connectionName: connectionName)
+    }
+
     nonisolated private func executeStartupCommands(
         _ commands: String?, on driver: DatabaseDriver, connectionName: String
     ) async {

TablePro/Core/Plugins/PluginMetadataRegistry.swift

@@ -135,6 +135,13 @@ struct PluginMetadataSnapshot: Sendable {
     }
 }
 
+/// Thread-safety contract:
+/// - All mutable state (`snapshots`, `schemeIndex`, `reverseTypeIndex`) is protected by `lock`.
+/// - `registerBuiltInDefaults()` accesses state without the lock but is only called from `init()`,
+///   before the singleton is published to other threads.
+/// - `buildMetadataSnapshot(from:isDownloadable:)` is a pure function — no shared state access.
+/// - Not converted to a Swift `actor` because most call sites are synchronous; making every
+///   lookup `async` would be too invasive.
 final class PluginMetadataRegistry: @unchecked Sendable {
     static let shared = PluginMetadataRegistry()
 

TablePro/Core/SchemaTracking/StructureChangeManager.swift

@@ -78,7 +78,7 @@ final class StructureChangeManager {
         self.currentForeignKeys = groupedFKs.keys.sorted().compactMap { name -> EditableForeignKeyDefinition? in
             guard let fkInfos = groupedFKs[name], let first = fkInfos.first else { return nil }
             return EditableForeignKeyDefinition(
-                id: first.id,
+                id: UUID(),
                 name: first.name,
                 columns: fkInfos.map { $0.column },
                 referencedTable: first.referencedTable,

TablePro/Core/Services/Export/ExportService.swift

@@ -72,20 +72,7 @@ final class ExportService {
 
     // MARK: - Cancellation
 
-    private let isCancelledLock = NSLock()
-    private var _isCancelled: Bool = false
-    var isCancelled: Bool {
-        get {
-            isCancelledLock.lock()
-            defer { isCancelledLock.unlock() }
-            return _isCancelled
-        }
-        set {
-            isCancelledLock.lock()
-            _isCancelled = newValue
-            isCancelledLock.unlock()
-        }
-    }
+    private(set) var isCancelled = false
 
     func cancelExport() {
         isCancelled = true

TablePro/Core/Services/Infrastructure/WindowOpener.swift

@@ -15,23 +15,20 @@ internal final class WindowOpener {
 
     internal static let shared = WindowOpener()
 
-    /// Set by ContentView when it appears. Safe to store — OpenWindowAction is app-scoped, not view-scoped.
-    internal var openWindow: OpenWindowAction?
+    /// True once any SwiftUI scene has appeared and stored `openWindow`.
+    /// Used as a readiness check by AppDelegate cold-start queue.
+    internal var isReady: Bool = false
 
     /// The connectionId for the next window about to be opened.
     /// Set by `openNativeTab` before calling `openWindow`, consumed by
     /// `AppDelegate.windowDidBecomeKey` to set the correct `tabbingIdentifier`.
     internal var pendingConnectionId: UUID?
 
-    /// Opens a new native window tab with the given payload.
-    /// Stores the connectionId so AppDelegate can set the correct tabbingIdentifier.
+    /// Opens a new native window tab by posting a notification.
+    /// The `OpenWindowHandler` in TableProApp receives it and calls `openWindow`.
     internal func openNativeTab(_ payload: EditorTabPayload) {
         pendingConnectionId = payload.connectionId
-        guard let openWindow else {
-            Self.logger.warning("openNativeTab called before openWindow was set — payload dropped")
-            return
-        }
-        openWindow(id: "main", value: payload)
+        NotificationCenter.default.post(name: .openMainWindow, object: payload)
     }
 
     /// Returns and clears the pending connectionId (consume-once pattern).

TablePro/Core/Storage/KeychainHelper.swift

@@ -263,10 +263,8 @@ final class KeychainHelper {
                 continue
             }
 
-            // When opting IN (synchronizable=true), delete the old local-only item safely.
-            // When opting OUT (synchronizable=false), keep the synchronizable item — deleting it
-            // would propagate via iCloud Keychain and remove it from other Macs still opted in.
             if synchronizable {
+                // When opting IN: delete the old local-only item safely.
                 let deleteQuery: [String: Any] = [
                     kSecClass as String: kSecClassGenericPassword,
                     kSecAttrService as String: service,
@@ -277,7 +275,24 @@ final class KeychainHelper {
                 let deleteStatus = SecItemDelete(deleteQuery as CFDictionary)
                 if deleteStatus != errSecSuccess, deleteStatus != errSecItemNotFound {
                     Self.logger.warning(
-                        "Migrated item '\(account, privacy: .public)' but failed to delete old entry: \(deleteStatus)"
+                        "Migrated item '\(account, privacy: .public)' but failed to delete old local entry: \(deleteStatus)"
+                    )
+                }
+            } else {
+                // When opting OUT: delete the stale synchronizable copy so it doesn't
+                // linger in iCloud Keychain. This will remove the credential from other
+                // devices that have iCloud Keychain enabled.
+                let deleteSyncQuery: [String: Any] = [
+                    kSecClass as String: kSecClassGenericPassword,
+                    kSecAttrService as String: service,
+                    kSecAttrAccount as String: account,
+                    kSecUseDataProtectionKeychain as String: true,
+                    kSecAttrSynchronizable as String: true
+                ]
+                let deleteStatus = SecItemDelete(deleteSyncQuery as CFDictionary)
+                if deleteStatus != errSecSuccess, deleteStatus != errSecItemNotFound {
+                    Self.logger.warning(
+                        "Migrated item '\(account, privacy: .public)' but failed to delete old synchronizable entry: \(deleteStatus)"
                     )
                 }
             }